- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate IPS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate IPS
Hi,
Im very new to FG and would like to ask you guys..
1. is it possible to use IPS with certificate inspection (and not deep inspection) and if so what im I losing using just cert inspection.
2. Should i use IPSon every policy?
Thanks.
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Since you are new to Fortigate, I would suggest checking this KB which describes best practices when it comes to the IPS: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPs-best-practices/ta-p/198360
Without deep inspection, do not expect the IPS to detect the vulnerabilities, as they might be encrypted(with TLS for example), and without deep inspection you`ll not be able to check the payload of the packet in order to determine if the packet/traffic is matching the restrictions which are configured on the IPS profile.
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to add to this, this is the reason to implement WAF (web application firewall) for those internal web applications you are trying to protect. Since you cannot implement your certificate needed for DPI to everyone on the Internet, you can however, implement it on a WAF to decrypt that traffic for mitigation before it hits your internal web servers.
In regards to your second question...maybe. Intrusion is typically an inbound/ingress rule (and the need to apply a IPS ingress rule to all policies depend on what you are trying to protect inbound); however, one item that can be applied to an IPS rule is the blocking of malicious URLs and Outgoing connections to Botnet sites. I use this for traffic egressing my network to "all" destinations for example, but not for my more granular specific trusted destination networks/hosts on the Internet. So the same logic can also be used for your ingress rules too. If you have a trusted network/host on the Internet for some reason or another, then maybe you don't need to apply a IPS rule for that policy...but again, maybe.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
> 1. is it possible to use IPS with certificate inspection (and not deep inspection)
Yes.
> and if so what im I losing using just cert inspection.
As mentioned by aahmadzada the FortiGate might not be able to scan all content if it is TLS encrypted.
Some attacks can be detected with certificate inspection but not all of them.
Many signatures require deep inspection to decrypt the traffic and inspect the actual payload. Those attacks will not be detected with certificate inspection.
> 2. Should i use IPSon every policy?
No, you shouldn't simply due to performance reasons.
Depending on the size of your device and the type/amount of CPU cores you can easily saturate the CPUs with scanning tasks.
You can of course scan all traffic with IPS for better security and monitor the CPU usage i.e. with "diag sys top".
If there is any IPS process listed with a higher CPU load, then the scanning is likely too much and should be reduced.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if i have user lan to server lan policy and a server lan to user lan polocy, I should enable ips on the two?
Created on 04-25-2023 05:02 PM Edited on 04-25-2023 05:06 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like the idea of having your servers protected from both external and internal users. This will give you maximal security, but also be mindful of the work it takes to maintain that. This is why those IPS sensors need to be customized down to your environment (what are your servers' serving). Monitor and testing will have to be done to weed out false positives as others have mentioned, along with making sure your firewall can handle the added processing burden as well. In regards to your server to user lan policy, are you concerned that your users/devices on your server LAN will attack your users LAN? Not saying that is outside the realm of possibility, but I would be more prone to use those resources to protect clients from the Internet as I trust my server LAN, if that makes sense.
In essence, you are given a finite amount of processing resources and you have to determine what's more important to protect with those resources. Using those resources on a Server LAN to User LAN policy would be "low man on the totem pole" for me as they say....if needed at all.
Related Posts
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.